you can use EMS tags on VPN policies.
However, you need to make sure the following is in place:
-> the EMS tag is associated with the tunnel IP, not only the local LAN IP of the client
-> If you have no split-tunneling, the FortiClient must be able to reach EMS through VPN tunnel
I have a functioning setup with the following:
- one policy from VPN to DNS and no tag (client needs to be able to resolve EMS FQDN before reaching EMS)
- one policy from VPN to EMS and no tag (client needs to connect to EMS first through VPN tunnel before getting updated tags)
- one default policy from VPN to local LAN and tags set
If FortiGate does not associate the tunnel IP with the tags (and it can only do that when EMS associates the tags with tunnel IP as well), then no access is possible.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++